hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Jacobs <Ron.Jac...@Reardencommerce.com>
Subject RE: Full NTLMv2 Support Achieved Easily (Was: NTLM authentication with a UPN instead of domain and user name)
Date Thu, 21 Apr 2011 21:24:56 GMT
I am not saying that anything doesn't work. I am saying that I have
looked at the code and see multiple problems based upon my reading of
the NTLM specification that was first publicly released by Microsoft in
March of 2007.

I am still trying to walk on eggshells so as to not be critical and I
will not give specific technical examples. But to reiterate, this code
appears to predate the public release of the NTLM specification.

Although I did find a minor issue in the JCIFS code on the deleted web
page, it was easy to detect and fix and that was the intent of my first
posting earlier today.

If the code you are using is working with the specific configuration
that you are using then I don't see any pressing reason for concern. On
the other hand if you, like I, do not control any of the many variables
inherent in the Windows servers against which you must be able to
authenticate, then you may be interested in the code that I posted.

-----Original Message-----
From: Marc Boorshtein [mailto:mboorshtein@gmail.com] 
Sent: Thursday, April 21, 2011 2:14 PM
To: HttpClient User Discussion
Subject: Re: Full NTLMv2 Support Achieved Easily (Was: NTLM authentication with a UPN instead
of domain and user name)

I find this discussion fascinating. One question, are you saying the Ntlmschemefactory doesn't
work?  I use it as part of my unit tests against adfs 2 running on w2k8r2 64bit and it works
perfectly. 

Thanks
Marc

Sent from my iPad

On Apr 21, 2011, at 5:07 PM, Ron Jacobs <Ron.Jacobs@Reardencommerce.com> wrote:

> I must say that I hadn't wanted to say anything negative about that code
> in my original post(s), but now that you've asked:
> 
> The code now in your 4.1 distribution appears to be minimally (if at
> all) unchanged from some code that I came across during a Google search
> for better supporting NTLM within HttpClient way before I ever upgraded
> to 4.x. I looked at that code in depth sometime last year and concluded
> that there were just too many problems with it.
> 
> Without going into technical details, which I have certainly mostly
> forgotten by now anyway, that code seemed to have been written by
> reverse engineering and guessing about NTLM some time before Microsoft
> (finally) publicly released the NTLM specification. It may have worked
> at one time for some specific combination of Windows parameters and
> options but it was too far away from working for the general cases that
> I needed. You see, unlike many NTLM client-side users that are just
> trying to authenticate against a specific Windows server, I need to work
> with just about any combo of Windows OS versions, service packs,
> registry settings, installed apps, etc.
> 
> So I abandoned that effort and when I recognized the same code inside
> HttpClient, I was not hopeful. It was as I was looking for alternatives
> that I asked the questions that you answered for me last month leading
> me straight to this approach that is working great for us today.
> 
> Seems to me that there is still no "open source" solution that is ready
> to drop into the HttpClient distribution. I believe that the correct
> approach is indeed JCIFS and that your restoring and updating the web
> page is the best solution. If I were "forced" to write some NTLM code
> without licensing issues for HttpClient it would end up looking much
> too uncomfortably close to JCIFS.
> 
> I truly hope that I have offended no one.
> 
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org] 
> Sent: Thursday, April 21, 2011 12:23 PM
> To: HttpClient User Discussion
> Subject: Re: Full NTLMv2 Support Achieved Easily (Was: NTLM authentication with a UPN
instead of domain and user name)
> 
> ...
> 
> PS: Would you be by any change willing to take a look at the default
> NTLM engine distributed with HttpClient and see what may be wrong there?
> It'd be a great contribution to all users of HttpClient.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message